As the country's electricity grid undergoes a transformation and moves toward a more intelligently networked, automated system, it faces an increasing amount cybersecurity issues.

Watchdogs at the Government Accountability Office today said while the increased use of smart grid systems may have a number of benefits, "including improved reliability from fewer and shorter outages, downward pressure on electricity rates due to the ability to shift peak demand, an improved ability to transmit power from alternative energy sources such as wind, and an improved ability to detect and respond to potential attacks on the grid," many challenges remain.

From its report, the GAO identified the following six challenges that are key to ensuring the cybersecurity of the nation's electricity grid.

• Lack of information: Consumers are not adequately informed about the benefits, costs, and risks associated with smart grid systems. Specifically, there is concern that consumers are not aware of the benefits, costs and risks associated with smart grid systems. This lack of awareness may limit the extent to which consumers are willing to pay for secure and reliable systems, which may cause regulators to be reluctant to approve rate increases associated with cybersecurity. As a result, until consumers are more informed about the benefits, costs and risks of smart grid systems, utilities may not invest in, or get approval for, comprehensive security for smart grid systems, which may increase the risk of attacks succeeding.

• Lack of focus: Utilities are focusing on regulatory compliance instead of comprehensive security. The existing federal and state regulatory environment creates a culture within the utility industry of focusing on compliance with cybersecurity requirements, instead of a culture focused on achieving comprehensive and effective cybersecurity. Specifically, experts told the GAO that utilities focus on achieving minimum regulatory requirements rather than designing a comprehensive approach to system security. In addition, one expert stated that security requirements are inherently incomplete, and having a culture that views the security problem as being solved once those requirements are met will leave an organization vulnerable to cyber attack. Consequently, without a comprehensive approach to security, utilities leave themselves open to unnecessary risk.

• Lack of security features: There is a lack of security features being built into smart grid systems. Security features are not consistently built into smart grid devices. For example, our experts told us that certain currently available smart meters have not been designed with a strong security architecture and lack important security features, including event logging and forensics capabilities which are needed to detect and analyze attacks. In addition, the GAO stated that smart grid home area networks — used for managing the electricity usage of appliances and other devices in the home — do not have adequate security built in, thus increasing their vulnerability to attack. Without securely designed smart grid systems, utilities will be at risk of not having the capacity to detect and analyze attacks, which increases the risk that attacks will succeed and utilities will be unable to prevent them from recurring.

• Information sharing: The electricity industry does not have an effective mechanism for sharing information on cybersecurity and other issues. The electricity industry lacks an effective mechanism to disclose information about smart grid cybersecurity vulnerabilities, incidents, threats, lessons learned and best practices in the industry. For example, the GAO stated that while the electricity industry has an information sharing center, it does not fully address these information needs.

According to the GAO, information regarding incidents such as both unsuccessful and successful attacks must be able to be shared in a safe and secure way to avoid publicly revealing the reported organization and penalizing entities actively engaged in corrective action. Such information sharing across the industry could provide important information regarding the level of attempted cyber attacks and their methods, which could help grid operators better defend against them. If the industry pursued this end, it could draw upon the practices and approaches of other industries when designing an industry-led approach to cybersecurity information sharing. Without quality processes for information sharing, utilities will not have the information needed to adequately protect their assets against attackers.

• Measure success?: The electricity industry does not have metrics for evaluating cybersecurity. The electricity industry is also challenged by a lack of cybersecurity metrics, making it difficult to measure the extent to which investments in cybersecurity improve the security of smart grid systems. The GAO noted that while such metrics are difficult to develop, they could help compare the effectiveness of competing solutions and determine what mix of solutions combine to make the most secure system. Furthermore, our experts said that having metrics would help utilities develop a business case for cybersecurity by helping to show the return on a particular investment. Until such metrics are developed, there is increased risk that utilities will not invest in security in a cost-effective manner, or have the information needed to make informed decisions on their cybersecurity investments.

• Regulation issues: Aspects of the current regulatory environment make it difficult to ensure the cybersecurity of smart grid systems. In particular, jurisdictional issues and the difficulties associated with responding to continually evolving cyber threats are a key regulatory challenge to ensuring the cybersecurity of smart grid systems as they are deployed. Regarding jurisdiction, experts expressed concern that there was a lack of clarity about the division of responsibility between federal and state regulators, particularly regarding cybersecurity. While jurisdictional responsibility has historically been determined by whether a technology is located on the transmission or distribution system, experts raised concerns that smart grid technology may blur these lines. For example, devices such as smart meters deployed on parts of the grid traditionally subject to state jurisdiction could, in the aggregate, have an impact on those parts of the grid that federal regulators are responsible for — namely the reliability of the transmission system.

There is also concern about the ability of regulatory bodies to respond to evolving cybersecurity threats. For example, one expert questioned the ability of government agencies to adapt to rapidly evolving threats, while another highlighted the need for regulations to be capable of responding to the evolving cybersecurity issues. In addition, our experts expressed concern with agencies developing regulations in the future that are overly specific in their requirements, such as those specifying the use of a particular product or technology. Consequently, unless steps are taken to mitigate these challenges, regulations may not be fully effective in protecting smart grid technology from cybersecurity threats.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.